mystery "logged out" entries

Do you have any plugin installed that modifies the login or logout behavior of WordPress?

Simple History uses the filter wp_logout to log those messages, so a plugin or any of your theme-functions must call that filter.

Could you perhaps paste the info available when you click the date (a table with lots of info should popup).

Yeah, I don’t understand what’s going on.

The only thing I use that affects logins/logouts is iThemes Security, which does track if people try to hack into the site. It bans them from the site after a number of attempts. But they are never able to log in.

I’ve been using iThemes Security and Simple History both for quite a long time and this is new behavior. But something must have changed, somewhere.

This is what I get when I click the date on one of the “logged out” entries (which never have a corresponding “logged in” entry).

This is just one (new just now) “logged out” entry:

Key Value
id 1276
logger SimpleUserLogger
level info
date 2015-03-03 21:25:39
message Logged out
type
initiator other
occasionsID abfee0819f198c2782490c4ccb735367
subsequentOccasions 1
rep 1
repeated 1
occasionsIDType abfee0819f198c2782490c4ccb735367
context_message_key user_logged_out
_message_key user_logged_out
_server_remote_addr 108.162.254.149
_server_http_x_forwarded_for_0 94.153.10.213

This one had 239 logged out similar events:

Key Value
id 1108
logger SimpleUserLogger
level info
date 2015-03-03 09:49:28
message Logged out
type
initiator other
occasionsID abfee0819f198c2782490c4ccb735367
subsequentOccasions 1
rep 1
repeated 12
occasionsIDType abfee0819f198c2782490c4ccb735367
context_message_key user_logged_out
_message_key user_logged_out
_server_remote_addr 108.162.254.149
_server_http_x_forwarded_for_0 94.153.10.213

Thanks for any insight you can provide! (And, for your terrific plugin.)

all best,
Denise

I’ve been getting the same on one of the sites I manage – it uses both Simple History and iThemes Security Pro too.

There are hundreds of ‘Logged out’ messages attributed to user ‘Other’, but each one seems to be twinned with a corresponding ‘Failed to login to account with username “xxx” because an incorrect password was entered’ message – both referencing the same IP address.

e.g.:

id 194
logger SimpleUserLogger
level warning
date 2015-06-13 10:37:49
message Failed to login to account with username “{login_user_login}” because an incorrect password was entered
type
initiator web_user
context_message_key user_login_failed
_user_id
_user_login
_user_email
login_user_id 4
login_user_email [email protected]
login_user_login xxx
server_http_user_agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
_message_key user_login_failed
_server_remote_addr 62.210.105.116
_server_http_referer https://xxx.co.uk/wp-login.php

================

id 195
logger SimpleUserLogger
level info
date 2015-06-13 10:37:49
message Logged out
type
initiator other
context_message_key user_logged_out
_message_key user_logged_out
_server_remote_addr 62.210.105.116
_server_http_referer https://xxx.uk/wp-login.php

==================

I was a bit freaked out at first, as I thought the site had been compromised somehow, but after checking the site for suspicious changes & looking through the iThemes Security log, it looks like these entries all correspond to brute force attempts that have been locked out automatically by iThemes Security.

I’m happy to ignore these messages as being spurious, but it would be nice for them not to appear at all, as it’s easy to miss genuine issues amongst all this background noise. Would this be something that iThemes would have to address, or can changes be made to Simple History to solve this?

Cheers,
Mathew

thanks for the reports. I will install iThemes Security myself and see if I can reproduce.